FATCA reporting system leaves taxpayer data vulnerable

After years of upheaval in the financial sector, taxpayer confusion, and widespread international angst, the IRS has finally unveiled its FATCA registration and reporting system. The system is known as IDES, or the International Data Exchange Service, and claims to provide “a secure web application … to transmit FATCA data directly to the IRS.”

Given the sensitive nature of the data involved, security is of paramount importance. Unfortunately, the track record of the U.S. government and the IRS suggests individual taxpayer data will be extremely vulnerable.

At issue is FATCA’s requirement that banks essentially spy on their U.S. customers and report a wide variety of detailed information to the IRS. The reporting requirements create multiple new sources of vulnerability for individual financial data thanks to the government’s inability to keep its technology up to date, the incompetence of its personnel, and the tendency of IRS bureaucrats to abuse their positions to punish political opponents.

Poor government record on cybersecurity

When it comes to cybersecurity, the record of the U.S. government can only be described as atrocious. Consider just a few recent events.

In 2012, sensitive infrastructure data on the nation’s 85,000 dams was taken from an Army Corps of Engineers database. A National Weather Service employee with ties to the Chinese government was later indicted for downloading restricted information that intelligence officials warn could be used to maximize the loss of life and property in a hypothetical attack on American infrastructure.

The next year, the Emergency Alert System was hacked and used to warn Americans of a zombie outbreak. Stations in several states interrupted programming to report that, “Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living.”

The month after that, in a particularly ironic twist, the web server of the National Institute of Standards and Technology, which hosts the government’s database of known software vulnerabilities, was itself exploited by a vulnerability and taken out of service for several days.

All told, there have been breaches of sensitive information from systems at the Departments of Defense, State, Justice, Labor, Energy, Commerce, and Homeland Security, as well as NASA, the EPA, the FDA, the Commodity Futures Trading Commission, and the Federal Reserve. And those are just the ones publicly reported.

Despite significant increases in federal spending on cybersecurity, the rate of breaches has grown each of the last 8 years for which data is available, increasing an incredible 1,012 percent from 5,503 incidents in 2006 to 61,214 in 2013. During this time the share of breaches exposing personal data has also grown, with an average of almost 40 percent of reported cybersecurity failures potentially exposing private data to outside groups.

The IRS itself has been accused by government watchdogs of having serious vulnerabilities, and of moving too slowly to fix them.

Every year since 2008, the Government Accounting Office has identified 100 cybersecurity weaknesses at the agency. Specifically, the IRS has been faulted for routinely failing to encrypt data or for using weak methods for doing so, allowing greater access to data than workers require to perform their duties, permitting user passwords that are easily guessed, and being dangerously slow to install crucial software updates and security patches.

This record alone is enough to question the ability of the IRS to secure and protect the sheer breadth of financial records it will receive due to FATCA, but serious concerns are already being raised about IDES’ specific security protocols.

The system’s rules for encryption recommend use of Electronic Codebook (ECB) as its encryption mode. ECB is widely faulted by cryptography experts as being incredibly weak, as it encrypts blocks one at a time and it thus does a poor job of hiding data patterns. Upon discovering the IDES recommendation of ECB in its protocols, prominent security expert Bruce Schneier incredulously asked, “Are they serious?”

Apparently they are not about protecting taxpayer information.

The human element may be worse

Cyber attacks are not the only threat to the private financial data collected by FATCA. Even greater danger may lurk in the form of IRS employees. Even the most secure system won’t provide sufficient protections if the IRS itself abuses the information it receives. There’s strong reason to suspect that will happen, as the IRS has in recent years engaged in numerous activities that either violate privacy rights or represent flagrant abuses of power.

For instance, the agency for years has been embroiled in scandal surrounding accusations that Tea Party and conservative groups were targeted for special attention.

During the course of the targeting investigation, emails revealed that donor lists from nonprofit groups were obtained as part of a “secret research project” conducted by a top IRS official. Two individuals involved in both the targeting and the secret project – Lois Lerner and David Fish – also had their hard drives containing tens of thousands of emails mysteriously crash.

When emails between the two were later recovered, one was reported to say, “No one will ever believe that both your hard drive and mine crashed within a week of each other.” They got that right.

The IRS initially claimed that the data on the drives was irretrievably destroyed because backup tapes did not exist, but it took only two weeks for outside investigators to find them. The Inspector General’s (IG) office conducting the investigation reported that the IT staff responsible for the tapes claim IRS officials never even asked for them. The IRS clearly believes itself beyond the law or legal oversight.

In another case, the IRS last year admitted wrongdoing and agreed to pay $50,000 in damages for the 2008 leak to a gay rights group of the National Organization for Marriage’s tax return. The leak included the name of the organization’s major donors, among which was then-Presidential candidate Mitt Romney, and also likely the leak’s true target.

And in further demonstration of the contempt with which the IRS treats the rules and its responsibilities, a recent IG report revealed that the IRS rehired hundreds of employees in recent years who had previously engaged in misconduct, including some who had improperly accessed taxpayer data.

Given this lax attitude toward preserving taxpayer privacy, it came as little surprise when another IG report last year revealed an identity theft ring operating out of an IRS office. The employees in that case were prosecuted and convicted, but how many such abuses are never caught thanks to the mismanagement and indifference of top IRS officials to the abuse of taxpayers is anyone’s guess.


Thanks to FATCA the IRS will have at its disposal more private taxpayer information than ever before. Institutions required to report on their clients owe it to them to demand the highest security for their data, security there is little reason to believe the IRS is willing or capable of providing.

These vulnerabilities don’t even account for the IGA nations where FATCA data will first be transmitted to local governments before the IRS, which could increase the risks exponentially. FATCA, in other words, is a privacy nightmare.

For all the trouble FATCA has caused during the implementation process alone, the worst may be yet to come. To make matters worse, it looks like just a warm-up to the OECD’s more ambitious plans for global tax information exchange.